Hi, good afternoon or good evening, good morning, wherever you are and welcome to this latest webinar, KuppingerCole and today with Keeper Security we'll be talking about perfecting privileged access management or at least trying to. With me today is Zane Bond who is Head of Product with Keeper Security and we'll be hearing from Zane in a little bit but first just a few housekeeping notes, no need for you to do anything, you're muted so you don't have to unmute yourself.
We're running some polls, actually we're running some quizzes during this webinar, a slight change there but there is a Q&A session at the end where you can enter questions using the control panel that you'll see on your screen and of course we are recording the whole thing so if any of your colleagues wish to see it afterwards it will be available as a download in the next few days.
So that's all that for the housekeeping, now we have something rather exciting, you can win these headphones, we're doing a quiz throughout the webinar and we'll basically find the winner and let them know after the webinar but these headphones are worth around $200, they sound amazing apparently, haven't tried them myself, I'm sure they're better than these ones. Stuff magazine said they're great so noise cancelling as brilliant as ever, well we all know that Bose headphones are good so those could be yours if you get all the questions right in our quiz and here is the first quiz question.
So the question is all data breaches that occur each year, what percentage are due to weak and stolen passwords? So you have three options, 81%, 25%, 50% so just add your answers so into the the main event as it were and what were we talking about.
I'll do a very brief overview of PAM as it is now, some of the choices you have for multiple devices and then Zane will take over with a more in-depth look at the next generation of PAM, PAM next gen perhaps that's what he'll call it and how to achieve simplicity and security, something very difficult to do in today's IT world and then we'll have your chance for questions, you can add your questions into the tool on your screen as well and we'll take those as they come.
So let's go, I always like to start my presentations with this saying that everything works with everything else which is my way of summing up the world of IT, the world of business IT that we have now currently.
I mean actually you could say that everything connects with everything else because it doesn't necessarily work but we do have this ginormous connection connectivity where everything does indeed work with everything else and then I've also simplified what PAM is or what access management is so instead of putting it into all sorts of archaic technical language what you're actually talking about is a thing which can be a person or a human sorry or a machine or even a service account but in any case it's just something that wants access and so to do that we have to give the thing an identity so we know what it is so whether it's a machine or a person or something else and then we give it a credential and that's what gives it access to the stuff.
So that process is what we're all doing every single day in everything that we do kind of at our desktops and again I've simplified it right down to these few lines but in reality and as Zane will explain things are actually quite complicated behind the scenes. So I really like that one right it takes a very complex set of systems and just simplifies it down to you know this is what you need to do your job and you know yeah we have controls when you're dealing with you know the keys to the kingdom but this is great.
Well you can even simplify a little further just call it thing and stuff if you want to just cut out but that might be simplifying it a little bit too much but that's why I highlighted those those two words there but yeah it's pretty much what's happening what we're doing right now in fact and then what makes life more complicated is all this.
So we have different types of identities that we have put in sort of four buckets here but I mean there are more so we have people looking to get onto devices, computers, mobile etc and then we have what's traditionally being called IT admin accounts so all the guys that actually decide how things work and also decide who gets credentials to provision this is where it starts getting complicated because those people have need access before they can give other people access but now we have identities within software so we have all these weirdo thing containers, microservices, applications, APIs etc and they too are adding to this mix of identities that are all bubbling around looking to do stuff and increasingly those things are sometimes allowed to do stuff pretty much uncontested and not managed and then of course behind it all we've also got automation I was didn't actually I think I did this slide before the invention of AI which we all know and was invented this year no other year and so but of course machine learning I think is a more accurate way to describe what we have now but the tools that we are seeing coming out are also using a combination of APIs and code and stuff to do the machine learning that is now exciting everybody in writing reports and stuff so that's just again this is probably simplified but I think I forgot the actual statistic but I think machine identities are going to outnumber human or user identities something like 100 to 1 or something like that it's a big number and increasingly PAM or legacy PAM or existing PAM platforms don't actually have the capacity to deal with the speed and scale of those identities but you can see that this is some research that we did I think last year just asking customers or our customers how many PAM solutions they use and whilst the majority still only use one it was interesting that we have 23% using two 16% using three or more that suggests two things one is a confusion in the market not knowing which is the best PAM system to buy so they end up with more than one and sometimes line of business will buy their own version of PAM compared to the one that was originally set up by IT five years ago but it also means that there is confusion in how to make PAM work and I think that that's why they buy one and some of the legacy PAM applications of platforms are known for being very very comprehensive very very good but also very very hard to deploy and very hard to administer so we're getting to a situation where when the need for PAM is changing in terms of things like machine identities and for people like developers and DevOps and people that need fast access to stuff you're finding that they probably want PAM that's a little bit faster a little bit more cloud native and a little bit different so there is this shift happening in the PAM market quite significantly right now so we have the big players on one side and then we have I don't like to say smaller players they're just literally you know smaller companies but they're actually quite often more innovative and also more targeted towards some of the applications that we need right now and again this is really an attempt to show how identity flow management is working particularly in the cloud because if more than anything the cloud has well it's clouded the market let's use a cliche there but it certainly has meant that when everything was on premise when everything was fairly easy to localize and find then identity and access management was also quite easy so again we have our types of identities looking for access so people machines third party I didn't even talk about third parties but of course that is now another area and customers that are becoming able to enter different partner networks and the partners will have partners and so on and it gets back to that original slide of everything works with everything else so they're using a combination now increasingly of PAM but also the newer things called cloud infrastructure entitlement management and traditional IAM but there is now an emerging thing called identity threat detection and remediation I think that's Zane is that right ITDR it's a new one that has suddenly hit and it's kind of a version of Kim with a bit of Pam and so on but it's it's kind of taking they're actually the very sensible view that you need to understand who your identities are and whether they are being abused or not so all that is happening so getting back to every you know people wanting access to stuff and then that's all the stuff again the list of resources could go on forever as it increasingly changes and I should probably add ITDR to this slide when I update it you know keep it keep it current and probably and probably there's definitely no shortage of acronyms in our space no no I'm still getting my head around ITDR and see whether it is actually a thing or whether it's just a capability that could actually be attached to these three but I'll add it anyway because you know we like to be on the on the ball here so that's what's happening there and there's a picture of Andy Warhol here for the reason was that I like the quote that he is famous for which is in the future everybody will be famous for 15 minutes and I kind of changed that around to in the future everyone will have privileged access for 15 minutes access for 15 minutes because that's kind of where we're going we are moving away from a infrastructure of standing privilege and much more into just in time and no standing privilege or that's going to take some time to to change and the reason are that the forces are happening identify three here so we have velocity density and dispersion so velocity is simply the speed at which identities are looking for access which is when I'm talking about things like DevOps and machines they want access on the spot they want it for like I don't know 10 minutes or something and then it needs to be quick the sheer density of identities is an issue because like I said they're multiplying out of control and they're dispersed they are no longer your employees they're no longer just that that sort of number of people whatever it is that you could safely manage from an existing IAM or pad tool they're everywhere now and you don't know actually probably where some of these identities are coming from they could be coming from like I said partners of partners or somewhere else in the supply chain so that's so there has been a reaction and the reaction was again what I call a palmocracy so we now have or we are moving towards a time when identities people and machines etc all will have privilege access of some sort at some point in their working day or if not the working day then a working week simply because we are shifting the emphasis of privilege from the user the identity into the thing or the resources that they want to access and that's what should be privileged so on that here is the second question of all the site I hope you're hope you're all playing along as they say on tv very nice headphones of all the cyber attacks taking place each year what percentage are targeted at small and mid-sized businesses so 10 46.
While we give the audience seconds to answer I think you you really touched the nail on the head really well in your last slide where things kind of evolve it almost feels like it's an individual journey for each company like as they go through their security maturity journey their needs increase and their needs for security and data privacy increase too yeah absolutely and the one thing that I've noticed is that when we do our events and we have end users coming in is that well I'm not going to say that they're confused but they're always looking for answers and last year's answers aren't necessarily going to be the right ones for this year so yeah as each individual organization grows the needs change they might start off as a self-contained very small business but as soon as they start working with others they need that extra protection so good good point so hopefully you've all had time to think about that I can't remember that myself what the answer is so there you go so a little bit there's my friend Andy Warhol there again for no other reason than I like the picture of him and nothing to do with privilege really there is arguments for and against standing privilege kind of what's happening now because there is going to be certain industries or certain sectors that will hold out for standing privilege and the reasons are there on the screen because it does limit access to critical systems well this is the theory of course this is what standing privileges is what they say about it so it should limit access to critical systems to a small number of individuals there is no repeated authentication streamlined workflow improved productivity etc etc now the thing is those are the pros and I'm sure that Zane you could probably drive a truck through some of these pros which I'm sure you'd like to but simply put some companies just like standing privileges and they tend to be perhaps bigger more perhaps financial services more compliance or compliance checked organizations that need to be able to do tick box exercise and say yes only authorized individuals have access to this and therefore we pass the compliance but increasingly standing privileges are going to come up against these cons like I said the simply the velocity and density and dispersion of identities mean that you probably have more standing privileges than you you realize they are now much more exposed to being stolen and used by malicious actors it's difficult once you have standing privilege unless you have some kind of tool to admin which is something that we've been talking about it's difficult to actually revoke access and you know you hear all the time about companies that still have people you know zombie accounts or ghost employees that haven't worked at the company for some time and yet there's still an account set up for them because no one knows it's there they're also quite complex to manage in access management systems and so on so personally I think I can see why standing privilege is a is a an appeal or is appealing to certain organizations but I do think that in the world of privilege access that we are seeing the beginning of the end of standing privileges and much more to just in time as and when you need it everybody having some sort of privilege at some point now if I can just to sort of wrap up I'll just do a little bit of advertising for the power of leadership compass which actually this came out earlier in 2023 and we'll soon be working on the 2024 version but if you are interested in the market as it sort of stands right now you will see that we have taken into account the emergence of Kim platforms and their impact on also everything we talked about the cloud and device access demands multiple endpoints now needing to be serviced and so on vaults and passwords there is within a more granular part of Pam is the debate between continuing to use password which again is also very much part of your standing privilege into a more passwordless system or at least where end user machines never see any password and just in time and zero standing privilege are also beginning to impact the market so buyers are actually saying we want just in time we want zero standing privilege because that's what our CEO wants so finally this pad choice is now wider but somehow it's a bit harder to actually choose which is the right solution so use the resources not just cooking a cold but everybody that can provide you with information define what you see as your privilege framework and again work around that and how to build a privilege access management system or platform that works in the way that you work decide on essential capabilities some Pam solutions have everything in them and some people need everything a lot of organizations and this is from our own research as well show that they don't necessarily always want all the session recording or session monitoring good or bad but they just prefer to have the access and don't be afraid of automation and endpoint privilege management the more that is automated for you the better a machine or a software that is doing the tedious task for you leaves you with more time to do the important stuff and see where your identities are at threat and where your access is a threat and so on and finally look at new Pam and Kim solutions and dare I suggest ITDR as well and see what's out there because the market for Pam is it's kind of mature and immature at the same time because it seemed like it's sewn up you know it was going to be the four big players and this is what Pam is but even in the short time that I've been four years or so the number of vendors has actually increased and that is despite consolidation within the market so it's a great time to be looking at Pam and it's really and I actually mean this it is quite exciting because people always say I'm really excited about some technology but I do find that this whole area is very exciting and interesting so I hope you do I find there's definitely a new room for new players because a lot of customers are just unsatisfied with what's being delivered with existing players that's you know yeah I think you're right and you know there are new players coming in and it's like you know exciting young athletes joining you know the club so that's my bit done I will hand over now to Zane.
A little bit about Keeper Security we are not a traditional Pam player we actually started out in the enterprise password management space we were the first password manager on the Apple App Store we spend a good amount of our time doing direct business to business interactions but we found that the password management space when you get really mature in that space you kind of evolve into and overlap with some of the core Pam use cases and was just a natural evolution for us to get through there so that's kind of like our journey when we look at what we have from our existing systems and what we have generally our customers like us our fundamental approach to most of the things we've done in the past is super easy to use super easy to deploy the apps are available on the App Store your management consoles are all cloud-based there's very little you know on-premise components or management or any little legacy stuff and so we enjoy that because our customers really really resonate with the simplicity of our deployment model for so many different things however we've found this time and time again if you look at any breach if you look at any major compromise where there's a significant you know amount of impact almost always credentials are used in this process for one way shape or form the Verizon data breach investigation report from this year they have this stat every year it usually goes somewhere between like mid 70s and mid 80s the amount of breachers where the human element including stolen passwords weak passwords credentials getting reused things like that is involved in almost every successful breach credentials and protecting them and protecting those identities doesn't always make the news because it's not the newest AI cyber whatever but these are the things that typically get you breached and we really try and hammer on the fact that you know protect the basics protect your core components because this is where the the challenges come from most of the time I ran a couple surveys and studies recently we were just looking to see how existing customers that have PAM solutions in their deployments in their environments feel about what they have what do they have to say and almost universally through the surveys through talking to customers etc is PAM provides really good capabilities but man is it complex it is tough to use it is tough to deploy and just a simplified version that allows us to meet the compliance regulations meet the security regulations and not have a lot of the extra fluff or challenge that we have to do is desirable and we're like well we could definitely do that almost always when you purchase some larger legacy PAM solution you're buying a whole bunch of capabilities and they're great but we find that very often they're they're not needed or used there's really specific core use cases like hey I failed an audit I need to do xyz to succeed it or you know we believe we have some risk protecting our crown jewels we want to put some controls in front of it if you focus on the security benefits and the company benefits not so much as features then you can really distill down and just get the things that you absolutely need and obviously streamlining deploying stuff is comes up all the time so when we're looking at the some of the core problems that exist like in in the PAM space or when just talking with customers about what are the types of issues that we run into where the problems that we run into number one is you it's it's difficult to protect what you can't see if you don't have the visibility into where your systems are who's using what who has access to it where your machines are what happened when someone on when someone was on the device it is very very difficult also you end up with a good amount of credentials being all over the place and just understanding where they are how they're getting used is difficult this is both from like an insider threat from an external threat or even from just human error right if someone has access to too many things or is unaware of what the impact of rotating a credential is then you could have you know significant outages with no malicious intent it's just if you don't know the impact of a potential change it's it's uh potentially quite a challenge right question time first question i have here uh what percentage of people reuse the same passwords across multiple accounts they have access to i left out 100 because you know we're not there well yeah i would yeah well i would guess that one myself is pretty high uh because that's exactly what i do so yes um even across the security conscious just yeah the load that you have to invest into passwords is just way too much right like passwords are a means to get your job done they're none of them so avoiding that drum roll let's see 65 uh this came from tech radar survey that we did this is absolutely aligned with what we see in the industry even across security conscious companies companies that have deployed pam solutions it is very common to have password reuse if you don't have visibility into that then one password compromise can lead all over the place it definitely definitely is a challenge which leads us into our second problem um one of the traditional issues we run into with a legacy pam solution is they may provide great security controls great compliance controls great whatever but if it's only deployed to three or four guys in the it group or it's only deployed to a very small subset of your organization you might have some really good controls there or you might have good controls in the process of being deployed which we find quite often is that the pam components end up being a journey that everybody's in the middle of i've never seen someone reach the end of the journey but hey that's great um yeah i don't think anyone will ever reach the end of their journey uh man it's yeah even when you talk to those that are you know 18 24 months into an appointment you're like great you're into this give me a percentage it's it's never high digit percentages right it's it's it's a challenge and when your scope of protection is really limited and yet everybody in your environment could be potentially compromised or breached it is a very challenging problem to have to work through the last one we got this resonates within the pam space more so than so many other security products if it is too difficult to deploy if it is too difficult to use if the control is too painful it's either not going to get adopted or people are going to find ways to go around it um it you cannot implement something that is too difficult um and not have some type of a challenge either disgruntled people now if that's your only option and everything else is shut down okay cool then you just gotta angry people but typically especially when you have your your engineers your systems from the people that are responsible for keeping the lights on for deploying these systems getting your code of getting your websites getting the things out there they have the controls to get around this if they have to most of the time so let's make it easier to use the tool than it is um to not use the tool yeah i mean too much not just pam but other bits of software are designed not for the way people work but just designed to control the way they work rather than and you you mentioned devs devops their classic example of well first they're super smart so they know how to get around everything um and and they do get around it because they don't like they see anything security as a barrier well yeah if option one is you know bring the entire company back online and option two is really securely but a little bit slower you really just sometimes business has to exist yeah regardless so it's um it's challenge and again additional challenges we find inside and outside man it's tough you find more complex environments becoming either through on-premise cloud deployments through acquisitions through mergers through small departments like it teams buying a pam solution just for them and then somebody else having a another solution needed for another org there's a lot of complexity that gets introduced to your business as you grow and that's that's normal that's fine at some point you have to make the decision to manage it and you have to make the decision to control it and um as you expand your attack surface expands too so you have to protect all those components it's it's a challenge definitely definitely is without question next question uh what european country suffered the most cyber attacks in 2022 uk germany or france so we're going to give uh people following along a couple seconds to answer that first paul any guesses i'm gonna guess it's my country the disunited kingdom rather than the slight kingdom yeah less united than it used to be uh but yeah seriously i think it's probably uk all right drum roll and our answer is that is well there you go yeah um for for many reasons right um the uk has historically had a lot more banking and finance organizations for the world those are incredibly juicy targets and um it's the there's a lot of reasons that work into this but that's what the numbers have told us yeah and that's an up-to-date stat as well so it is hmm all righty so what is the solution to all these crazy problems well hey good news keepers here to save the day right um from our side we really really did try and focus on uh creating a next-gen security platform um one of the things we did we didn't come into the pam space uh as an entrant and a choice we made we came in from the password management from the um from the almost consumer side and getting across this but it means that some of our core foundational security components zero trust zero knowledge the user's right to privacy the user's right to own their data things like that were just part of our platform and so as we were evolving into a fully fledged pam solution we realized that these security choices we made earlier on are really really impactful and just make some of the cutting-edge security considerations just natural for us zero trust is normal nobody has access to anything no admin can see our passwords it's just how we were so it's really powerful to evolve into that and bring our requirements for just an easy to use easy to understand environment in there so when we look at what keeper of hand really is right we've got three main components our enterprise password management this is the vault it is your storage it is your uh credential store secure file store you handle sharing alerting reporting all of those components uh the connection manager is the um privileged session management set of capabilities and that allows you to you know connect to the targets without sharing the keys or credentials it allows the sessions to be you know tracked and monitored recorded this this does a really good job across any of the compliance use cases you may have know who's coming in know what they did when they were in there and you know be able to restrict it and you know ensure there are no passwords used on the sequence manager side um that's really just the the opposite of the password management right password management does a great job of solving the human use cases hey give me multi-factor uh check your email for validation you know putting your yubi key things like that those types of controls really don't make sense uh for the machines we have a different set of controls for providing credentials to the machines for understanding tracking usage automatic rotation of the passwords and keys things like that it's a different set of controls but it's largely the same use cases the thing needs access to the stuff how does it get it should it have it and you know is it going to get the right things that just applies across the board so those are the core components that make up our platform out the gate things that absolutely set us aside you're not stacking and racking servers you're not setting anything up on premise it's you know cloud native cloud-based it's a much more easy to follow uh customer experience to get through the and actually to get to meaningful protection quickly as opposed to you know being through these long deployments that require services when we think of the evolution the industry has really had you know cyber arc was the first entry in the space um they're they have powerful capabilities and they've been evolving on that for many many years they've got just if you want it they've probably got one or two of them that are available to you uh you'll be on trust your psychotic slash delete evoke um those have been the evolution on the keeper side we really wanted to leapfrog what some of the other players were doing and make sure that we just launched a complete cloud native easy to use up and running in 20 minutes instead of you know let's start planning on what certificates we have to buy what databases we have to set up do we have enough microsoft licenses like no just get to your protection that you need as quick as possible the the ease of use it's hard to state the stark difference between getting value out of a traditional solution versus keeper it's you know we we have up and running in the same day type of thing we also have a really strong focus on our security model and how we lock things down every record has its own encryption so we have record level encryption we have so many other protections around outside of just your pam it use case this vault is designed to be used by everybody in your environment it makes the the password management password sharing components really easy if everybody has the ability to securely store stuff on their mobile devices their browser their desktop wherever they are if the passwords are there and the usage is controlled by your organization it makes it easier and that's really the the big switch where we have on the security adoption paradox we try and make business and normal access easier than without the solution and i really really hope we've gotten there but that's that's for our customers to tell us if we've actually attained it but we are trying and that's a core focus there is definitely a demand and there is a trend towards uh sort of decentralizing uh admin so that people in lines of business or in departments are actually given admin controls which traditionally would have all been centrally managed um but they have to be easy to use uh and so you're absolutely right there to be thinking about that yep and when we think of the the the various use cases right there's so many things within within password management session management pam just the whole alphabet soup of what we can do that you can do but we're going to look at the key things that we solve right it's the credential risk that exists um either through users whether they're getting phished from clicking on the wrong website you know browser extensions will stop and protect that whether it's credentials being shoved into teams or slack or email or some other system we have you know secure sharing capabilities that you can track and then just automatic rotation of the credit like there's there's a whole series of capabilities where we really try and focus on ensuring that we're delivering the necessary capabilities to either properly attain compliance or solve security use cases quickly and we target those solve them make them elegant and then you know try to move on to the next one to ensure we're able to get there as needed our security architecture i've worked at several security companies and keepers foundational security is amazing zero knowledge from a cloud vendor is not stated enough this this is the the core foundational tenet that use a customer own your data and have absolute control over it and there is zero knowledge to us as a vendor in the cloud we cannot access we cannot decrypt it we cannot use it we are very limited effectively we are storing your cyber text any of your key derivation is done in your environment any of your rotation is those keys are calculated under assets that you control and you're just like various things where even if we were to get like a an information request from an organization saying hey we think that paul's a terrorist please give us his vault the answer is we have no way to access it we have no way to get to that and you're gonna have to get that from paul just foundationally we are unable to access and crack these things open and that's a good thing we really really pride ourselves in keeper as not having the ability to do any of that crazy stuff which is somewhat unusual you know normally within the pan space the pan product it holds the keys to the kingdom it holds everything and so you just have to protect that really well because if that gets cracked open you've got really significant problems looking at our um looking at our platform and where we go we try and keep it really simple most of our things are deployed from the cloud we've got our various products the admin console the user vaults those are available if you want it on your mobile device go to the app store try it out if you are in a browser we have the browser extension and then for the privileged components on premises we have very lightweight rotation gateways that exist in your environments you're not setting up large databases you're not setting up high availability and load balancing and all these other things we handle a lot of the portal the administrative or the control access with all the security behind it to make sure that we are absolutely there from a security standpoint we have the whole alphabet soup pick pick one set acronyms or letters we've probably got it um the most difficult and highest level security certifications on the list are our FedRAMP this means that we're able to be deployed into you know some of the most secure environments in the world and that is a significant uh security control to go through from code reviews to validation to encryption reviews to everything you need so from a keeper perspective foundationally um everything we need from our core security foundation has allowed many of these certifications to just be a breeze because we don't have to change anything the answer is no the user controls the data no we can't see the data so it's really nice i'm a big fan of that all right now hopefully we've got some questions from the team and we can get into uh potentially our q a section we do have questions hey um so the first one is from charles newman uh i mean this is potentially a question that it could take some time to answer but he says how does keep the security compared to cyber out beyond trust why would someone choose ks over these two vendors that is a great question um the simplest is um it's not about picking us as a vendor who's your favorite you're right think about the security controls that you need think about how you need to protect your organization what are the things you absolutely need and then come to vendors with that list don't get um you know distracted by entire feature lists of things that you may or may not need figure out what is the problem i'm trying to solve where i'm not trying to go and we're hoping that if keeper security can solve the problems that you need then we'll solve them more elegantly than other competitors um as an example we don't have requirements for professional services to get deployed um you can get running up and running fairly quickly on your own we're not as you know crazy on the cost side so it's um that's a determination that you need to make on your own but make sure you stick to focusing on the problems that you need solved in your environment and hopefully we can be a partner with you okay thanks um next question is uh what are the most interesting critical trends you see at pam in 2023 and beyond so i guess we're talking about 24 really now since it's already september so zane what's i mean we spent we've mentioned some already but um no we definitely have right so there's there are new technologies coming out throughout whether it's passwordless evolution whether it's past keys whether it's um pick any number of acronym soup for the various you know pan capabilities that exist um so there are there are some trends in the industries that we see coming up but when when you break things down to just why are customers getting breached why are customers failing audits it's not usually the trends it's it's the basics it's who has access to this who should have access to this you know what happens if xyz system i don't know what happens if you rotate this password things like that we find that things like long-standing credentials hard-coded credentials into systems and source code and stuff those tend to lead to more breaches um so i don't know it's it's tough to focus on the trends when when some of the basics aren't handled as well yeah uh actually here's a really good question um and it kind of relates to what i was saying about some companies are resistant to just in time and resistant to getting rid of standing privilege and andrew well his name seems to be andrew andrew but i don't think that that's his his name but anyway um he said our ot ics users are resistant to just-in-time privileges they claim that for safety critical systems standing privileges are safer comments he says so there are some systems where standing privileges just make sense industrial control systems historically have more difficult management consoles to manage more different difficult components to protect and so i think the the newer thinking is if you can move to the just-in-time credentials do so if there isn't you know the password on the device for somebody to find or scour or attempt to reuse through token reuse then you're better but for some of your systems it's just not practical and that's fine there's nothing wrong with that um plan for it to be managed accordingly what we find many times is that if you put a good network barrier around those systems and have only authorized entry points it is much easier to control and protect them and so if you do have to have those systems that exist that's that's part of your business you don't have a choice let's just find the the most appropriate way to protect them great we got some great uh people on the the webinar today um some great questions david murray mano um his question is with pam being a critical discipline of a holistic iam program what recommendations would you make to get the point across that pam needs iga and access management and those disciplines need pam to mature iam overall for an organization great question that is you want to take a first stab at that one paul uh it's i agree that probably pam uh is currently uh seen as part of iam overall um we haven't even talked about iga or access management in this whole call or webinar um now i think my view is that pam can be purchased um as a standalone product to do specific uh functions that we've been talking about in terms of allowing access to highly sensitive resources however probably in a bigger picture it probably works better with depending on the organization depending on the size depending on the capabilities within the pan that you choose it will benefit it to work with iga or identity providers no less i don't know about it has to work necessarily with a wider iam system because i think that's what's happening is that everything is blurring anyway like yes i think you kind of hit the nail on the head right these technologies they're inextricably linked together like you know just when you think about the user experience i want to use my active directory login or my corporate login to get to all the stuff and you know privileged solutions um should allow you to just identify and do your assertion of identity as yourself and then the appropriate capabilities follow behind that um but man every one of those um components and disciplines has its own specific components but i think they they exist within your environment and focusing on what is what is it that i'm trying to provide or prevent right am i trying to say that devs get access to this or everybody else doesn't get access to this then those business goals as long as they don't get lost in implementation can help you drive some of that strategy better sure i mean actually this brings it there's two questions here both about itdr um and one says what areas itdr uh can't hover that pan can cover do you think itdr replace iam and then the second question is uh it's not clear to me what identity threats are and consequently how to respond to them um currently it seems that vendors are using the term to mean what we offer the zero trust of iam i'm not actually don't quite understand that question but let's just say let me paraphrase all that and say how will itdr where does it fit in in into the pan story right now and the iam story because i think if you take my version of events where you control your identities and you give the identities the credentials to get access to privileged resources then itdr probably does um serve a useful function in in uh assessing those identities in the first place and knowing uh yeah i think the so like skipping the acronyms right you're yeah your your detection and threat response this is the layer that finds the bad stuff and tries to respond to it these other systems become points of input for your threat detection are there weird things happening in your bam solution are there weird things happening in your identity and access management uh components and then if there are suspicious activities occurring your you know your threat detection and response systems whatever those end up being should highlight those and so the necessity for these to be interconnected um you know we ran down the whole sim journey many many years ago the thought behind it was you've got a bunch of stuff a bunch of software a bunch of implementations let's send the telemetry to a system to analyze it that was a great um desire i think the implementation of how far sims have come and how much value customers are getting out of it is a little bit lacking compared to the promise of it but the fundamental approach is that your threat detection and response needs to be um more broad than just particular disciplines it has to look at all your solutions and implementations yeah for sure okay um more uh focus one for you this time and uh probably a bit easier to answer perhaps is uh how does keeper integrate workloads machine privilege access is becoming as big as human privilege access as andrew sangulash i think that's how you pronounce it uh well he's absolutely right it's becoming bigger actually but uh yeah yeah so it's i think the the privileged access management at its foundation as a as a practice is designed to handle this right you have users and or machines and or systems things that need to get to stuff and in this case we're um interested in the um the machines getting access to their systems and requesting them and you want oversight and control into that you can oftentimes use the same human controls on that machines act very differently they request stuff differently whether it's api keys or database credentials or source codes so from from the keeper side we have a comprehensive set of integrations into your existing tools right um cicd tools you jenkins your github your um azure devops yeah secret vault your hashi corpse whatever it is that exists there we focus on saying let's integrate with that let's remove these individual credential silos that exist in 10 20 30 40 places in your environment and get them into a location where the source of truth for credentials is handled your management oversight your automated policy around credentials credential usage credential rotation or privileged access is there so i think the um the slightly longer answer is we short version of that is we have an enormous amount of integrations that allow you to to analyze where things are in your environment and determine like hey we've got this jenkins server great let's integrate it we don't have to throw it out we want to integrate it so that the credentials fit into the larger compliance and um solution and you can continue using those but there's no hard-coded credentials in the system there's no long-standing um secrets that exist in those secret vaults all over the place they're only retrieved when they're needed they're not there all the time fantastic um we do have one more question uh but i think it might be difficult to answer on online uh but i'll give it a go uh how does keeper security help in meeting pan requirements specific to uk telecom security act 2021 i don't personally i don't know what the requirements of that are but it's one that we could certainly uh follow up on i imagine right um let's generalize this every security and compliance framework worth its salt is going to have something in sections one or two that says don't be done with passwords don't reuse passwords and know who has access to stuff um that's generally the foundation for um the necessity for the pam solutions so i'm unfamiliar with that particular framework but generally if if you have visibility into where your systems are where your credentials are who's using them who had access to them and you're able to ensure just a general state in your environment of least privilege you're good from a foundational security perspective there may be idiosyncrasies in every framework to do things a little differently but um that's my quick answer without knowing enough about the framework sorry yeah for sure well we that that was isish matthew we'll get back to you with more details um about that um but thanks everyone uh for really great questions today i um it's uh really nice to uh interact with you all i just realized that i could have displayed these questions on the screen but i'm sorry this this tool is new to me also i'm sorry that i didn't reveal the answers to my quiz questions but it doesn't matter because whoever got them there's one person who got them right and we will send you the prize uh of those headphones in the meantime um let me just say thank you so much to zane for you know what's been a a really good uh webinar uh really enjoyed talking to you and discussing stuff and i hope to see you hopefully you'll be working with us on the leadership compass yeah absolutely pam yeah so uh thanks everyone for listening watching um bye for now i guess thank you
